Malware figures for the first half of 2018: The danger is on the web

Back to Press Archive

logo-gdataMore often than not, today’s malware is distributed via the web – executable files are becoming less of a problem. Also, the G DATA security experts were able to identify a particular trend in the first half of the year that targets users’ computers.

Like the IT industry in general, the development of current malware families and their use is subject to strong fluctuations. This also shows in the latest analyses from the G DATA SecurityLabs: Nine of the ten most common malware threats for PC users from the past year were no longer among the top 10 threats of the first half of 2018. The attacks are also launched more often from websites and not only via executable files, like in the past.

“Traditionally, malware has been spread mainly through executable files. However, we see a significant increase in web-based attacks, some of which require no files at all,” says Ralf Benzmüller, Executive Speaker of G DATA SecurityLabs. “Attacks via macros in office documents are also common and encourage users to interact. The ever faster development cycles of malware mean that users can only be comprehensively protected with proactive technologies from the G DATA SecurityLabs”.

Some statistics collected by G DATA Security Labs

The following figures are based on statistics collected by the G DATA SecurityLabs. Information is being compiled through the Malware Information Initiative (MII), where G DATA customers can voluntarily transmit statistical data to the company about identified and averted threats. This allows for a more accurate analysis of current samples with respect to currently active threats.

Cryptojacking dominated 2018 so far

Cryptojacking – the surrepticious mining of crypto currencies, usually Monero – had a special significance in the first half of the year. Especially in the first quarter of this year, cryptominers were hidden on numerous websites. Those websites download scripts to the user’s computer and then cause a high processor load. In some cases, however, the mining functions can also be found in executable files such as the game Abstractism that was provided through Steam – for more details on this, you can read our blog article “Abstractism: Cryptomining game removed from Steam Store”.

It is not always clear whether or not users have consented to such actions beforehand. Therefore, G DATA partly classifies cryptomining as malware, especially if the intention is clearly malicious. In some cases, cryptominers are classified as a “Potentially Unwanted Program” (PUP).  There are three coin miners among the top 10 malware threats, and four among the top 10 PUP detections.

What is new is that the bytecode web assembly is not only used in website-based miners, but also in malware. Webassembly is a supplement to Javascript, and is now supported by all popular browsers. With Webassembly, web developers can achieve significantly faster loading times and faster code execution – this makes the web standard an ideal technology for a coin miner.

Technically significant: More and more often, malware uses lesser-known Windows system functions to execute malicious commands with command line scripts. For example, the G DATA security researchers were able to use the heuristic detection of Voiv malware-samples to block numerous attacks that use “scheduled tasks” in Windows to make changes to the system. The malware disguises itself by claiming to be a browser-related process. Depending on the variant, they execute different types of code through scripting engines – for example, they do this to update the malware itself or to load additional malware modules.

Chronic security problems

Also known as a chronic security problem is Adobe’s Flash plugin. A vulnerability from 2017 (CVE-2017-3077) ranked seventh in the Top 10 of averted threats among G DATA users. Here, a manipulated image in PNG format is used to insert malicious code into a user’s computer and exploit the vulnerabilities. Once such a bridgehead has been created for the attack, further malicious code can be reloaded. G DATA advises you to stop using Adobe’s Flash Player and uninstall it. If you can’t manage to live without it, you should always install updates immediately, as soon as they become available.

Gamers, beware!

Ranking in a #4 and #8 are generic malware detections that disguise themselves as cracked versions of games. Malware authors often hide their malware in games. This tendency is not limited just to Windows computers. Especially on Android, games for children are a focus of fraudsters. G DATA recently warned against fake versions of the Fortnite app for Android in a blog article .

Many Potentially Unwanted Programs (PUP), in addition to the Monero miners, come in the shape of applications that manipulate browser settings of the users without being asked – for example, they change the set start page or the preset search engine or install annoying toolbars. “Open Candy” and the “Mindspark”-Framework, which are mainly hidden in freeware-installers, have been known for this type of behavior for years. These are still being spread and recognized by the G DATA security solutions. It is interesting that software which is classified as a PUP, such as Win32.Application.DownloadGuide.T, now also recognizes virtual machines and tries to avoid detection by antivirus programs by displaying a less aggressive behavior in case it runs on a virtual machine.

Prevented attacks are slightly declining

The number of overall reports on prevented attacks in the past six months were slightly lower than in the previous year. In the second quarter of 2018 in particular, the figures reported were lower than before.

The statistics also show that the malware situation varies greatly from country to country. Most prevented malware and PUP infections were reported from Turkey in the first half of 2018, well ahead of second-placed Israel. In Turkey, G DATA security solutions have primarily prevented infections with well-known tools for cracking Microsoft software. Germany is in the middle of the field when it comes to prevented threats.

The development of new types of malware also declined slightly in the first half of the year compared with the previous year. In total, G DATA SecurityLabs has classified 2,396,830 new samples as harmful. On average, about 13,000 new malware samples were detected every day, i.e. about 9 per minute. Benzmüller comments on the figures: “We expect the number of new malware types to increase slightly again in the second half of the year. It will probably not be a record year. But the individual attacks are becoming more and more sophisticated and targeted.”


G DATA Software AG, with its head office in Bochum, is an innovative and quickly expanding software house focusing on antivirus security solutions. As a specialist in Internet security and pioneer in the field of virus protection, the company, founded in Bochum in 1985, developed the first antivirus program more than 20 years ago and celebrated its 25th birthday in 2010. Consequently G DATA is amongst the eldest security software companies in the world.
Over more than five years, no other European security software provider has won national and international tests and awards more frequently than G DATA. When it comes to quality, G DATA is a world leader, combining the world’s best security technologies in its antivirus products. Examples of this are its DoubleScan technology, with two independent virus scanners, and OutbreakShield instant protection. G DATA security solutions are available worldwide in more than 90 countries.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Press Archive